ABU DHABI // The UAE is expected to issue a law this year requiring companies that operate critical infrastructure to implement heightened security systems.
Key areas include the energy sector, nuclear power plants, oil and gas production facilities, water treatment and electricity.
Andrew Wadsworth, head of process control security at Lockheed Martin, said the country was setting up regulations “to implement security on process control systems so it sets the baseline”.
"It's just about to come into law and we've got the documents, so they're talking about maybe this year. Oil and gas production is key for the UAE because it's their key source of income and the 2030 vision is that they have to reduce their oil and gas dependence economically."
The Supervisory Control and Data Acquisition system controls power generation, traffic management, sewage treatment, oil and gas production, water treatment, electricity and public transport.
“It’s about keeping that process in a predictable and stable state,” Mr Wadsworth said. “The key point is that if these services are lost, it has the potential to lead to severe economic, social problems, unrest and loss of life.”
Energy is considered a “super-critical” part of national infrastructure. “Without energy, none of those other areas can function. So it’s a particular area of focus in the US, the UK and in this region,” he said.
Brig Ismail Al Sarkal, deputy major general of central operations at Abu Dhabi Police, said it was vital for the UAE to have such protection.
“Control systems are very good as they involve high security,” he said. “We never thought this way – how to protect infrastructure. But for oil and gas, nuclear, it’s a must because should anything happen to those infrastructures, the effects would be huge.”
Mr Wadsworth said the UAE’s situation was not yet up to par but the country was more aware than other regions.
“If there’s a network cable, fences won’t do anything to protect a site and attackers don’t even have to be in the same country,” he said. “The threat landscape is changing for process control systems and the number of incidents are getting closer and closer together.”
It can take 18 months before a successful attack is discovered.
“We need to look at segregating areas of the network we need to keep secure,” he said. “But the UAE is taking great strides to establish a Critical National Infrastructure protection policy. You need to look at what the key vulnerabilities are, assess the risks they present and address which ones can’t be tolerated.”
But threats are increasing. According to the US Department of Homeland Security, incidents jumped from nine in 2009 to 39 in 2010, to 256 last year.
“This only represents the tip of the iceberg because it’s voluntary reporting,” Mr Wadsworth said. “Last year, 59 per cent of all incidents were in the energy sector, more than every other sector put together.”
Perpetrators include nation states, activists, terrorists, criminals and suppliers, although sometimes the breach is unintentional.
“We need to start with the people to tackle this”, so education is the key, he said. “Process and procedures need to be clear, simple, repeatable, measurable and auditable to make sure controls are effective.”
He said technology was crucial to identify areas where heightened security was needed. Training and building an operation centre to monitor systems were also vital to secure infrastructure.
cmalek@thenational.ae
